AMENDMENTS TO THE CLAIMS: 



1 . (Previously Amended) A method to detect unauthorized reconnaissance or 
scanning of a computer network comprising the acts of: 

monitoring communications within the networic; 

detecting a predefined sequential triplet of TCP/IP protocol set packets flowing 
within said communications, comprising the steps of: 

observing an initial SYN packet originating fiom a source address; 

detecting a next sequential S YN/ACK packet issuing from a target device 
address in response to the SYN packet; and 

detecting a last sequential RST packet (Higinating from the source address 
in response to the S YN/ACK packet; and 

issuing an alert indicating unauthorized scanning if the predefined sequence of 
packets are each relevant to the source address. 

2. (Cancelled) 

3. (Cunently Amended) The method of claim 1 or olnim 2 w herein tiie 
detecting aet-further include s tho acta of : 

providing a histogram in which states of the predefined sequence of packets are 
maintained; and 

dynamically updating said histogram as selected ones of the predefined sequence 
of padcets is detected. 

4. (Currently Amended) The method of daim 3 wherein the histogram 
includes a table partitioned into a first field in v/tuch source addresses of network 
devices are keptj^} and a second fieldjjl concatenated to the first field, comprising 

initializing or incrementing a state i n which a code field ro pnooonting otatos in 

¥^adi -in response to an order in vAich p ackets in the predefined sequence of packets are 
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detected , wherein issuing the alert comprises issuing the alert if the state code field has 



an alert value. 



5-7. (CanceUed) 

8. (Cunently Amended) The method of claim 4^4.wfaeiein the issuing aet- 
fiiither includes the not of s ending a message to an administrator. 

9. (Currently Amended) The method of claim 4-4.wherein the issuing aet- 
fiirther includes th e oot of b locking future packete# om n e twork computers having 
predefined oharact e ristio s comprising the source address, the target device address and a 
target device port address . 

10. (Cunently Amended) The method of claim 4-4.^eiein th»-issuing oet- 
further includes the act of r ate-limiting flows of packets from n e twork devices having 
pr e defin e d ohorocteri stie s comprising the source address . 

11-24. (CanceUed). 

25 . (Previously Amended) A method to deploy an intrusion detection system 
on a network device including acts of: 

providing an algorithm to detect a predefined sequential triplet of TCP/IP protocol 
packets; and 

generating an alert if the predefined triplet of packets is detected and the triplet 
packets are each relevant to a source address; 

wherein the triplet comprises an initial S YN packet originating &om the source 
address, a next sequential S YN/ACK packet issuing fix>m a target device address in 
response to the SYN packet, and a last sequential RST packet originating fi-om the 
source address in re^nse to the S YN/ACK packet. 
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26. (Previously Amended) The method of claim 25 further including the act of 
providing a table to record at least one characteristic to identify network devices and 
state code corresponding to a sequence in which the predefined sequential triplet of 
packets are received. 

27-29. (Cancelled) 

30. (Previously Amended) A method to protect devices &om malicious attacks 
launched on a computer network including the acts of: 

providing on a device to be protected a software program that monitors packets; 

and 

issuing an alert if a predefined sequential triplet of TCP/IP protocol packets are 
detected and the triplet packets are each relevant to a source address; 

herein the triplet comprises an initial SYN packet originating fiom tlie source 
address, a next sequential SYN/ACK packet issuing fi'om a target device address in 
response to the SYN packet, and a last sequential RST packet originating fix)m the 
source address in response to the SYN/ACK packet. 

31-33. (CanceUed). 

34. (Currently Amended) The method of claim 30 v^eiein the software 
program includes a table containing codes ^^se values represent detection of one of the 
predefined set of packet s and at least one source address associated wilfa at least one of 

the codes . 

35. (Cancelled) 
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36. (New) The method of claim 4, wherein each of the predefined sequential 

triplet packets comprise a source address field, a target device address field, a source 
port field and a target device port field, and >^4ierein dynamically updating the histogram 

comprises: 

concatenating a source address field, a target device address field, a source port 
field and a target device port field of a packet of the predefined sequential triplet into the 
table first and second fields as an ordered four-tuple; 

hashing the ordered four-tuple; and 

using the hashed ordered four-tuple as a histogram location index. 

3 7. (New) The method of claim 36, vdierein detecting the predefined 

sequential triplet comprises: 

concatenating source address, target device address, sotirce port and target 
device port fields of the SYN packet in a source address-target device address- 
source port-target device port first order four-tuple and initializing Ifae state code 
field; 

concatenating source address, target device address, source port and target 
device port fields of the SYN/ACK packet in a reflection of the first order in a 
target device address-source address-target device port-source port reflected order 
fom-tuple and incrementing the initialized state code field; and 

concatenating source address, target device address, source port and target 
device port fields of the RST packet in a first order four-tuple and incrementing 
the incremented state code field into the alert value. 

38. (New) The method of claim 37, comprising: 

starting a purge time period; 

purging the state code field upon a li^ of the purge time period. 
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39. (New) The method of claim 37, \«4ieiem detecting the next sequential 
S YN/ACK packet comprises matching a look-up table key source address to the 
SYN/ACK source address field. 

40. (New) The method ofclaim 26 further comprising blocking fiiture packets 
conqirising the source address, the target device address and a taiget device port address. 

41 (New) The method of claim 26 further comprising rate-limiting flows of 

packets comprising the source address. 

42. (New) The method of claim 26, wherein each of the predefined sequential 
triplet packets comprise a source address field, a target device address field, a source 
port field and a target device port field, comprising dynamically updating a histogram 
by: 

concatenating a source address field, a target device address field, a source port 
field and a target device port field of a packet of the predefined sequential triplet into a 
histogram table field as an ordered four-tuple; 

hashing the ordered four-tuple; and 

using the hashed ordered fottf-tuple as a histogram location index. 

43 . (New) The method of claim 42, wiierein detecting the predefined 
sequential triplet comprises: 

concatenating source address, target device address, source port and target 
device port fields of the SYN packet in a source address-target device address- 
source port-target device port first order four-tuple and initializing the state code; 

concatenating source address, target device address, source port and target 
device port fields of the SYN/ACK packet in a reflection of the first order in a 
target device address-source address-tatget device port-source port reflected order 
four-tuple and incrementing the initialized state code; and 
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concatenating source address, target device address, source port and target 
device port fields of the RST packet in a first order four-tuple and incrementing 
the incremented state code into an alot value. 

44. (New) The method of claim 43, comjHising: 
starting a purge time period; 

purging the state code upon a lapse of the purge time period. 

45. (New) The method ofclaim 43, whoein detecting the next sequential 
SYN/ACK packet comprises matdiing a look-up table key source address to the 
SYN/ACK source address field. 

46. (New) The method of claim 35 further comprising blocking fiiture packets 
comprising the source address, the target device address and a target device pmt address. 

47 (New) The method ofclaimSSfiirther comprising rate-limiting flows of 

packets comprising the source address. 

48. (New) The method of claim 3 5, wherein each of the predefined sequential 
triplet packets comprise a source address field, a target device address field, a source 
port field and a target device port field, comprising dynamically updating a histogram 
by: 

concatenating a source address field, a target device address field, a source port 
field and a target device port field of a packet of the predefined sequential triplet into a 
histogram table field as an ordered four-tuple; 

hashing the ordered four-tuple; and 

using the hashed ordered four-tuple as a histogram location index. 

49. (New) The method of claim 48, vrfierein detecting the predefined 
sequential triplet comprises: 
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concatenating source address, target device address, source port and target 
device port fields of the SYN packet in a source address-target device address- 
source port-target device port first order four-tq>le and initializiiig a state code; 

concatenating source address, target device address, source port and target 
device p<Mt fields of the SYN/ACK packet in a reflection of the first order in a 
target device address-source address-target device port-source port reflected order 
four-tuple and incrementing the initialized state code; and 

concatenating source address, target device address, source port and target 
device port fields of the RST packet in a first order four-tuple and incrementing 
the incremented state code into an alert value. 

50. (New) The method of claim 49, comprising: 
starting a purge time period; 

purging the state code upon a l^pse of the purge time period. 

51. (Nevtr) The method of claim 49, A^dterein detecting the next sequential 
SYN/ACK packet comprises matching a look-up table key source address to the 
SYN/ACK source address field. 



RPS920030010US1 (IRA-10-6316) 



-8- 



CUSTOMER NO. 26675 



